Selecting Boot resulted in a familiar 'bad magic number' error. However, selecting Factory reset resulted in th device booting. This time DFU was operational, but /dev/ttyACM0 was not available so there was no way to change the environment variable for splashimage.

+

Selecting Boot resulted in a familiar 'bad magic number' error. However, selecting Factory reset resulted in the device booting. This time DFU was operational, but /dev/ttyACM0 was not available so there was no way to change the environment variable for splashimage.

−

+

==== Attempt 2 ====

==== Attempt 2 ====

Revision as of 09:30, 12 August 2007

Contents

Notes on a 'bricked' Neo

I've just spent a very long time, with the help of a few people on irc (who I now owe drinks to), trying to recover my Neo. This page is the result and is supposed to act as a collection of information to help owners with bricked or semi-bricked devices.

The Problem defined

A typing error in the splashimage environment variable resulted in the splash image being read into the memory starting at 0x200000 rather than 0x32000000. The change was written, with the error being unnoticed, using saveenv. As a result it was not possible to connect the device to usb until it had booted fully. Any attempt to either start with usb plugged in or plugging it in at the u-boot prompt resulted in a locked up device. Looking at dmesg on the host the following errors were reported

So the problem was that although the device could now boot there was no way to flash it with dfu.

The Solution

The solution was to try and prevent the splashimage environment variable from being looked at, thus preventing the write to the wrong area of memory.

Attempt 1

The idea was to dump mtdblock1 to a file, scp the file to a PC, hex edit it scp the file back to the phone and then dd the result into the mtdblock.

On the Neo

dd if=/dev/mtdblock1 of=mtdblock1.bin

Rebooting was required because of the i/o errors. The i/o error problem has been reported as bug 567

Once the Neo had rebooted the file was copied to a PC using scp. The first attempt to hex edit was made, the idea was to change 1 byte of the word splashimage so that it would, hopefully, be ignored by the bootloader. The resulting file was scp'd back to the Neo and written to flash

dd if=new_mtdblock1 of=/dev/mtdblock1

again once this was done a 'reboot' was performed.

Result 1

When the device booted there was a small tux image in the top left hand corner of the screen and a u-boot version string displayed over some of it. The device would not continue to boot.

Powered off the Neo, powered on with AUX+POWER go give a reduced boot menu.

Boot
Factory reset

Selecting Boot resulted in a familiar 'bad magic number' error. However, selecting Factory reset resulted in the device booting. This time DFU was operational, but /dev/ttyACM0 was not available so there was no way to change the environment variable for splashimage.

Attempt 2

This idea involved taking the mtdblock1 from a working Neo and dd'ing it to the failed Neo's flash.

Result 2

The process was similar to attempt one, although no hex edit took place. The result was that the Neo booted perfectly, although without a splash screen. As the next stage for this the mtdblock3 was dumped from the working Neo and dd'd into mtdblock3 of the Neo with no splash screen.

The final result was a perfectly fine Neo with a splash screen and working boot menu and dfu capabilities.

Discoveries

1. You can use dd to extract and overwrite your mtd partitions. This works particularly well for u-boot-env and splash providing the source device has a similar partition layout. Doing this on the u-boot partition was not tested. However, after you have used dd on the mtdblock devices as either the if= or of= you get i/o errors with even basic commands. The only way to get round this is to 'reboot' by removing the battery.

2. Hex editing the extracted mtd partition (u-boot-env) and trying to dd that works but the results are not what is expected. It appears that if one of the boot env parameters is missing, in this case splashimage, the u-boot-env parameters are all treated as if they were blank and the device uses default settings.

3. QEMU is very useful for testing out your theories before actually doing them on a real device. Most of the things we tried were tried on qemu first. Sadly QEMU's sd card emulation appears to be broken.

Views

Personal tools

Notes on a 'bricked' Neo

I've just spent a very long time, with the help of a few people on irc (who I now owe drinks to), trying to recover my Neo. This page is the result and is supposed to act as a collection of information to help owners with bricked or semi-bricked devices.

The Problem defined

A typing error in the splashimage environment variable resulted in the splash image being read into the memory starting at 0x200000 rather than 0x32000000. The change was written, with the error being unnoticed, using saveenv. As a result it was not possible to connect the device to usb until it had booted fully. Any attempt to either start with usb plugged in or plugging it in at the u-boot prompt resulted in a locked up device. Looking at dmesg on the host the following errors were reported

So the problem was that although the device could now boot there was no way to flash it with dfu.

The Solution

The solution was to try and prevent the splashimage environment variable from being looked at, thus preventing the write to the wrong area of memory.

Attempt 1

The idea was to dump mtdblock1 to a file, scp the file to a PC, hex edit it scp the file back to the phone and then dd the result into the mtdblock.

On the Neo

dd if=/dev/mtdblock1 of=mtdblock1.bin

Rebooting was required because of the i/o errors. The i/o error problem has been reported as bug 567

Once the Neo had rebooted the file was copied to a PC using scp. The first attempt to hex edit was made, the idea was to change 1 byte of the word splashimage so that it would, hopefully, be ignored by the bootloader. The resulting file was scp'd back to the Neo and written to flash

dd if=new_mtdblock1 of=/dev/mtdblock1

again once this was done a 'reboot' was performed.

Result 1

When the device booted there was a small tux image in the top left hand corner of the screen and a u-boot version string displayed over some of it. The device would not continue to boot.

Powered off the Neo, powered on with AUX+POWER go give a reduced boot menu.

Boot
Factory reset

Selecting Boot resulted in a familiar 'bad magic number' error. However, selecting Factory reset resulted in th device booting. This time DFU was operational, but /dev/ttyACM0 was not available so there was no way to change the environment variable for splashimage.

Attempt 2

This idea involved taking the mtdblock1 from a working Neo and dd'ing it to the failed Neo's flash.

Result 2

The process was similar to attempt one, although no hex edit took place. The result was that the Neo booted perfectly, although without a splash screen. As the next stage for this the mtdblock3 was dumped from the working Neo and dd'd into mtdblock3 of the Neo with no splash screen.

The final result was a perfectly fine Neo with a splash screen and working boot menu and dfu capabilities.

Discoveries

1. You can use dd to extract and overwrite your mtd partitions. This works particularly well for u-boot-env and splash providing the source device has a similar partition layout. Doing this on the u-boot partition was not tested. However, after you have used dd on the mtdblock devices as either the if= or of= you get i/o errors with even basic commands. The only way to get round this is to 'reboot' by removing the battery.

2. Hex editing the extracted mtd partition (u-boot-env) and trying to dd that works but the results are not what is expected. It appears that if one of the boot env parameters is missing, in this case splashimage, the u-boot-env parameters are all treated as if they were blank and the device uses default settings.

3. QEMU is very useful for testing out your theories before actually doing them on a real device. Most of the things we tried were tried on qemu first. Sadly QEMU's sd card emulation appears to be broken.